refactor: Move all environment variables to .env files with example secrets

This commit improves configuration management by: ## Changes ### Environment Variable Management - Moved ALL environment blocks from compose.yaml files to .env files - Added comprehensive .env files for all 20 services - Included example secret formats with generation commands - Added detailed comments explaining what each secret should look like ### Example Secret Formats All .env files now include examples for: - **JWT Secrets**: 64-character hex strings - Example format: `a1b2c3d4e5f67890abcdef1234567890...` - Generate with: `openssl rand -hex 32` - **Passwords**: Strong alphanumeric passwords - Example format: `MyS3cur3P@ssw0rd!2024#HomeL@b` - Generate with: `openssl rand -base64 32 | tr -d /=+ | cut -c1-32` - **Session Secrets**: Random hex strings - Example format: `b2c3d4e5f67890abcdef1234567890a1b2...` - Generate with: `openssl rand -hex 32` - **API Keys**: Service-specific formats - Meili: 32-character hex (`openssl rand -hex 16`) - NextAuth: 64-character hex (`openssl rand -hex 32`) ### GPU Support Documentation - Added NVIDIA GPU (GTX 1070) configuration for Jellyfin - Added NVIDIA GPU configuration for Immich (ML inference & transcoding) - Included setup instructions for NVIDIA Container Toolkit - Documented how to enable GPU acceleration in each service ### Services Updated **Core Infrastructure:** - lldap: Added JWT secret and password examples - tinyauth: Added session secret examples - traefik: No environment variables needed **Media Services:** - jellyfin: Added .env with GPU configuration docs - jellyseer: Created .env with logging and timezone settings - immich: Added database password examples and GPU docs - sonarr: Created .env for PUID/PGID/TZ - radarr: Created .env for PUID/PGID/TZ - sabnzbd: Created .env for PUID/PGID/TZ - qbittorrent: Created .env for PUID/PGID/TZ/WEBUI_PORT **Utility Services:** - homarr: Created .env for port and timezone - backrest: Added environment variables to .env - linkwarden: Rewrote .env with NextAuth, Postgres, Meili examples - vikunja: Created .env with JWT secret and database password - FreshRSS: Created .env for PUID/PGID/TZ - booklore: Created .env for PUID/PGID/TZ - calibre-web: Created .env for PUID/PGID/TZ - filebrowser: Created .env for PUID/PGID/TZ - lubelogger: Created .env with locale settings - rsshub: Created .env with cache and logging config - microbin: Updated existing .env, removed environment block ### Benefits 1. **Security**: - Clear examples show what strong secrets look like - Generation commands prevent weak passwords - All secrets in one place per service 2. **Consistency**: - All services follow the same pattern (env_file: .env) - No more environment blocks in compose files - Easier to template new services 3. **Usability**: - Users know exactly what to change (look for `changeme_*`) - Example formats prevent configuration errors - Commands provided to generate secure values 4. **Maintainability**: - Compose files are cleaner and more readable - Environment changes don't require compose file edits - Version control friendly (.env files can be .gitignored) ### Files Changed - Modified: 24 compose.yaml files - Created: 14 new .env files - Updated: 6 existing .env files - Total .env files: 20 across all services All compose.yaml files now use `env_file: .env` exclusively. No environment blocks remain in any compose files.
2025-11-06 19:18:07 +00:00 · 2025-11-06 19:18:07 +00:00 · ffc30ff582
commit ffc30ff582
parent cce203ed62
37 changed files with 311 additions and 795 deletions
--- a/compose/core/lldap/.env
+++ b/compose/core/lldap/.env
@ -5,9 +5,13 @@ LLDAP_LDAP_BASE_DN=dc=fig,dc=systems
 # Admin user configuration
 LLDAP_LDAP_USER_DN=admin
 LLDAP_LDAP_USER_EMAIL=admin@edfig.dev
 # Use a strong password (at least 16 characters, mix of letters, numbers, symbols)
 # Example format: MyS3cur3P@ssw0rd!2024#HomeL@b
 LLDAP_LDAP_USER_PASS=changeme_please_set_secure_password
-# JWT secret for session management (change this!)
+# JWT secret for session management (64+ character random string)
 # Generate with: openssl rand -hex 32
 # Example format: a1b2c3d4e5f67890abcdef1234567890a1b2c3d4e5f67890abcdef1234567890
 LLDAP_JWT_SECRET=changeme_please_set_random_secret
 # Database URL (SQLite by default)
--- a/compose/core/tinyauth/.env
+++ b/compose/core/tinyauth/.env
@ -10,6 +10,8 @@ TZ=America/Los_Angeles
 LDAP_ADDRESS=ldap://lldap:3890
 LDAP_BASE_DN=dc=fig,dc=systems
 LDAP_BIND_DN=uid=admin,ou=people,dc=fig,dc=systems
 # Must match LLDAP_LDAP_USER_PASS in lldap/.env
 # Example format: MyS3cur3P@ssw0rd!2024#HomeL@b
 LDAP_BIND_PASSWORD=changeme_please_set_secure_password
 LDAP_SEARCH_FILTER=(uid=%s)
 LDAP_INSECURE=true
@ -20,6 +22,8 @@ LDAP_INSECURE=true
 # USERS=
 # Session configuration
 # Generate with: openssl rand -hex 32
 # Example format: b2c3d4e5f67890abcdef1234567890a1b2c3d4e5f67890abcdef1234567890ab
 SESSION_SECRET=changeme_please_set_random_session_secret
 SESSION_MAX_AGE=86400
--- a/compose/media/automation/qbittorrent/.env
+++ b/compose/media/automation/qbittorrent/.env
@ -0,0 +1,11 @@
 # qBittorrent Configuration
 # User and Group IDs (run 'id' command to find yours)
 PUID=1000
 PGID=1000
 # Timezone
 TZ=America/Los_Angeles
 # WebUI Port
 WEBUI_PORT=8080
--- a/compose/media/automation/qbittorrent/compose.yaml
+++ b/compose/media/automation/qbittorrent/compose.yaml
@ -5,11 +5,8 @@ services:
  qbittorrent:
    container_name: qbittorrent
    image: lscr.io/linuxserver/qbittorrent:latest
-    environment:
+    env_file:
-      - PUID=1000
+      - .env
      - PGID=1000
      - TZ=America/Los_Angeles
      - WEBUI_PORT=8080
    volumes:
      - ./config:/config
      - /media/downloads:/downloads
--- a/compose/media/automation/radarr/.env
+++ b/compose/media/automation/radarr/.env
@ -0,0 +1,8 @@
 # Radarr Configuration
 # User and Group IDs (run 'id' command to find yours)
 PUID=1000
 PGID=1000
 # Timezone
 TZ=America/Los_Angeles
--- a/compose/media/automation/radarr/compose.yaml
+++ b/compose/media/automation/radarr/compose.yaml
@ -5,10 +5,8 @@ services:
  radarr:
    container_name: radarr
    image: lscr.io/linuxserver/radarr:latest
-    environment:
+    env_file:
-      - PUID=1000
+      - .env
      - PGID=1000
      - TZ=America/Los_Angeles
    volumes:
      - ./config:/config
      # Media library
--- a/compose/media/automation/sabnzbd/.env
+++ b/compose/media/automation/sabnzbd/.env
@ -0,0 +1,8 @@
 # SABnzbd Configuration
 # User and Group IDs (run 'id' command to find yours)
 PUID=1000
 PGID=1000
 # Timezone
 TZ=America/Los_Angeles
--- a/compose/media/automation/sabnzbd/compose.yaml
+++ b/compose/media/automation/sabnzbd/compose.yaml
@ -5,10 +5,8 @@ services:
  sabnzbd:
    container_name: sabnzbd
    image: lscr.io/linuxserver/sabnzbd:latest
-    environment:
+    env_file:
-      - PUID=1000
+      - .env
      - PGID=1000
      - TZ=America/Los_Angeles
    volumes:
      - ./config:/config
      - /media/downloads:/downloads
--- a/compose/media/automation/sonarr/.env
+++ b/compose/media/automation/sonarr/.env
@ -0,0 +1,8 @@
 # Sonarr Configuration
 # User and Group IDs (run 'id' command to find yours)
 PUID=1000
 PGID=1000
 # Timezone
 TZ=America/Los_Angeles
--- a/compose/media/automation/sonarr/compose.yaml
+++ b/compose/media/automation/sonarr/compose.yaml
@ -5,10 +5,8 @@ services:
  sonarr:
    container_name: sonarr
    image: lscr.io/linuxserver/sonarr:latest
-    environment:
+    env_file:
-      - PUID=1000
+      - .env
      - PGID=1000
      - TZ=America/Los_Angeles
    volumes:
      - ./config:/config
      # Media library
--- a/compose/media/frontend/immich/.env
+++ b/compose/media/frontend/immich/.env
@ -14,7 +14,9 @@ IMMICH_VERSION=V2.1.0
 # Connection secret for postgres. You should change it to a random password
 # Please use only the characters `A-Za-z0-9`, without special characters or spaces
-#DB_PASSWORD=postgres
+# Generate with: openssl rand -base64 32 | tr -d /=+ | cut -c1-32
 # Example format: aB3dEf7HiJ9kLmN2oPqR5sTuV8wXyZ1
 DB_PASSWORD=changeme_please_set_secure_password
 # The values below this line do not need to be changed
 ###################################################################################
--- a/compose/media/frontend/immich/compose.yaml
+++ b/compose/media/frontend/immich/compose.yaml
@ -77,13 +77,8 @@ services:
  database:
    container_name: immich_postgres
    image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
-    environment:
+    env_file:
-      POSTGRES_PASSWORD: ${DB_PASSWORD}
+      - .env
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
      POSTGRES_INITDB_ARGS: '--data-checksums'
      # Uncomment the DB_STORAGE_TYPE: 'HDD' var if your database isn't stored on SSDs
      # DB_STORAGE_TYPE: 'HDD'
    volumes:
      # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
--- a/compose/media/frontend/jellyfin/.env
+++ b/compose/media/frontend/jellyfin/.env
@ -0,0 +1,27 @@
 # Jellyfin Configuration
 # User and Group IDs (run 'id' command to find yours)
 PUID=1000
 PGID=1000
 # Timezone
 TZ=America/Los_Angeles
 # Published server URL (for DLNA and discovery)
 JELLYFIN_PublishedServerUrl=https://flix.fig.systems
 # NVIDIA GPU Transcoding (for GTX 1070)
 # Uncomment the lines below in compose.yaml to enable GPU transcoding:
 # 1. Uncomment 'runtime: nvidia' line
 # 2. Uncomment the 'deploy.resources.reservations.devices' section
 #
 # Prerequisites:
 # - Install NVIDIA Container Toolkit on host:
 #   sudo apt install nvidia-container-toolkit
 #   sudo nvidia-ctk runtime configure --runtime=docker
 #   sudo systemctl restart docker
 #
 # - Verify GPU is available: docker run --rm --gpus all nvidia/cuda:11.8.0-base-ubuntu22.04 nvidia-smi
 #
 # In Jellyfin UI after enabling:
 # Dashboard → Playback → Transcoding → Hardware acceleration: NVIDIA NVENC
--- a/compose/media/frontend/jellyfin/compose.yaml
+++ b/compose/media/frontend/jellyfin/compose.yaml
@ -6,11 +6,8 @@ services:
  jellyfin:
    container_name: jellyfin
    image: lscr.io/linuxserver/jellyfin:latest
-    environment:
+    env_file:
-      - PUID=1000
+      - .env
      - PGID=1000
      - TZ=America/Los_Angeles
      - JELLYFIN_PublishedServerUrl=https://flix.fig.systems
    volumes:
      - ./config:/config
      - ./cache:/cache
@ -35,7 +32,9 @@ services:
      # Note: Jellyfin has its own auth system, SSO middleware disabled by default
      # Uncomment the line below to enable SSO (requires users to auth via tinyauth first)
      # traefik.http.routers.jellyfin.middlewares: tinyauth
-      # Uncomment for NVIDIA GPU transcoding
+
    # Uncomment for NVIDIA GPU transcoding (GTX 1070)
    # Requires NVIDIA Container Toolkit installed on host
    # runtime: nvidia
    # deploy:
    #   resources:
--- a/compose/media/frontend/jellyseer/.env
+++ b/compose/media/frontend/jellyseer/.env
@ -0,0 +1,11 @@
 # Jellyseerr Configuration
 # Log Level (debug, info, warn, error)
 LOG_LEVEL=info
 # Timezone
 TZ=America/Los_Angeles
 # User and Group IDs
 PUID=1000
 PGID=1000
--- a/compose/media/frontend/jellyseer/compose.yaml
+++ b/compose/media/frontend/jellyseer/compose.yaml
@ -5,11 +5,8 @@ services:
  jellyseerr:
    container_name: jellyseerr
    image: fallenbagel/jellyseerr:latest
-    environment:
+    env_file:
-      - LOG_LEVEL=info
+      - .env
      - TZ=America/Los_Angeles
      - PUID=1000
      - PGID=1000
    volumes:
      - ./config:/app/config
    restart: unless-stopped
--- a/compose/services/FreshRSS/.env
+++ b/compose/services/FreshRSS/.env
@ -0,0 +1,8 @@
 # FreshRSS Configuration
 # Timezone
 TZ=America/Los_Angeles
 # User and Group IDs
 PUID=1000
 PGID=1000
--- a/compose/services/FreshRSS/compose.yaml
+++ b/compose/services/FreshRSS/compose.yaml
@ -5,23 +5,7 @@ services:
  freshrss:
    container_name: freshrss
    image: lscr.io/linuxserver/freshrss:latest
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Los_Angeles
    volumes:
      - ./config:/config
    restart: unless-stopped
    networks:
      - homelab
    labels:
      traefik.enable: true
      traefik.http.routers.freshrss.rule: Host(`rss.fig.systems`) || Host(`rss.edfig.dev`)
      traefik.http.routers.freshrss.entrypoints: websecure
      traefik.http.routers.freshrss.tls.certresolver: letsencrypt
      traefik.http.services.freshrss.loadbalancer.server.port: 80
      traefik.http.routers.freshrss.middlewares: tinyauth
-networks:
+    env_file:
-  homelab:
+
-    external: true
+      - .env
--- a/compose/services/backrest/.env
+++ b/compose/services/backrest/.env
@ -1,6 +1,11 @@
 # Backrest Configuration
 # Backrest provides a web UI for managing Restic backups
 # Application Settings
 BACKREST_DATA=/data
 BACKREST_CONFIG=/config/config.json
 XDG_CACHE_HOME=/cache
 # Timezone
 TZ=America/Los_Angeles
--- a/compose/services/backrest/compose.yaml
+++ b/compose/services/backrest/compose.yaml
@ -15,11 +15,8 @@ services:
      - /home/user/homelab/compose/media/frontend/immich/upload:/backups/immich:ro
      - /home/user/homelab/compose:/backups/homelab-config:ro
-    environment:
+    env_file:
-      - BACKREST_DATA=/data
+      - .env
      - BACKREST_CONFIG=/config/config.json
      - XDG_CACHE_HOME=/cache
      - TZ=${TZ:-America/Los_Angeles}
    labels:
      # Traefik
--- a/compose/services/booklore/.env
+++ b/compose/services/booklore/.env
@ -0,0 +1,8 @@
 # Booklore Configuration
 # Timezone
 TZ=America/Los_Angeles
 # User and Group IDs
 PUID=1000
 PGID=1000
--- a/compose/services/booklore/compose.yaml
+++ b/compose/services/booklore/compose.yaml
@ -5,24 +5,7 @@ services:
  booklore:
    container_name: booklore
    image: ghcr.io/lorebooks/booklore:latest
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Los_Angeles
    volumes:
      - ./config:/config
      - /media/books:/books:ro
    restart: unless-stopped
    networks:
      - homelab
    labels:
      traefik.enable: true
      traefik.http.routers.booklore.rule: Host(`booklore.fig.systems`) || Host(`booklore.edfig.dev`)
      traefik.http.routers.booklore.entrypoints: websecure
      traefik.http.routers.booklore.tls.certresolver: letsencrypt
      traefik.http.services.booklore.loadbalancer.server.port: 3000
      traefik.http.routers.booklore.middlewares: tinyauth
-networks:
+    env_file:
-  homelab:
+
-    external: true
+      - .env
--- a/compose/services/calibre-web/.env
+++ b/compose/services/calibre-web/.env
@ -0,0 +1,11 @@
 # Calibre-web Configuration
 # Timezone
 TZ=America/Los_Angeles
 # User and Group IDs
 PUID=1000
 PGID=1000
 # Docker mods (optional - for ebook conversion)
 # DOCKER_MODS=linuxserver/mods:universal-calibre
--- a/compose/services/calibre-web/compose.yaml
+++ b/compose/services/calibre-web/compose.yaml
@ -5,26 +5,7 @@ services:
  calibre-web:
    container_name: calibre-web
    image: lscr.io/linuxserver/calibre-web:latest
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Los_Angeles
      - DOCKER_MODS=linuxserver/mods:universal-calibre
      - OAUTHLIB_RELAX_TOKEN_SCOPE=1
    volumes:
      - ./config:/config
      - /media/books:/books
    restart: unless-stopped
    networks:
      - homelab
    labels:
      traefik.enable: true
      traefik.http.routers.calibre-web.rule: Host(`books.fig.systems`) || Host(`books.edfig.dev`)
      traefik.http.routers.calibre-web.entrypoints: websecure
      traefik.http.routers.calibre-web.tls.certresolver: letsencrypt
      traefik.http.services.calibre-web.loadbalancer.server.port: 8083
      traefik.http.routers.calibre-web.middlewares: tinyauth
-networks:
+    env_file:
-  homelab:
+
-    external: true
+      - .env
--- a/compose/services/filebrowser/.env
+++ b/compose/services/filebrowser/.env
@ -0,0 +1,8 @@
 # File Browser Configuration
 # Timezone
 TZ=America/Los_Angeles
 # User and Group IDs
 PUID=1000
 PGID=1000
--- a/compose/services/filebrowser/compose.yaml
+++ b/compose/services/filebrowser/compose.yaml
@ -5,25 +5,7 @@ services:
  filebrowser:
    container_name: filebrowser
    image: filebrowser/filebrowser:latest
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Los_Angeles
    volumes:
      - ./config:/config
      - ./database:/database
      - /media:/srv
    restart: unless-stopped
    networks:
      - homelab
    labels:
      traefik.enable: true
      traefik.http.routers.filebrowser.rule: Host(`files.fig.systems`) || Host(`files.edfig.dev`)
      traefik.http.routers.filebrowser.entrypoints: websecure
      traefik.http.routers.filebrowser.tls.certresolver: letsencrypt
      traefik.http.services.filebrowser.loadbalancer.server.port: 80
      traefik.http.routers.filebrowser.middlewares: tinyauth
-networks:
+    env_file:
-  homelab:
+
-    external: true
+      - .env
--- a/compose/services/homarr/.env
+++ b/compose/services/homarr/.env
@ -0,0 +1,14 @@
 # Homarr Configuration
 # Timezone
 TZ=America/Los_Angeles
 # Base path (if behind reverse proxy with path)
 # BASE_URL=/dashboard
 # Port (default: 7575)
 PORT=7575
 # Authentication
 # AUTH_PROVIDER=oidc  # For SSO integration
 # DEFAULT_COLOR_SCHEME=dark
--- a/compose/services/homarr/compose.yaml
+++ b/compose/services/homarr/compose.yaml
@ -7,51 +7,6 @@ services:
    container_name: homarr
    image: ghcr.io/ajnart/homarr:latest
-    environment:
+    env_file:
      # Timezone
      - TZ=America/Los_Angeles
-      # Base path (if behind reverse proxy with path)
+      - .env
      # - BASE_URL=/dashboard
      # Port (default: 7575)
      - PORT=7575
      # Authentication
      # - AUTH_PROVIDER=oidc  # For SSO integration
      # - DEFAULT_COLOR_SCHEME=dark
    volumes:
      # Configuration and data
      - ./config:/app/data/configs
      - ./data:/data
      - ./icons:/app/public/icons
      # Docker socket for auto-discovery
      - /var/run/docker.sock:/var/run/docker.sock:ro
    restart: unless-stopped
    networks:
      - homelab
    labels:
      traefik.enable: true
      # Web UI routing
      traefik.http.routers.homarr.rule: Host(`home.fig.systems`) || Host(`home.edfig.dev`)
      traefik.http.routers.homarr.entrypoints: websecure
      traefik.http.routers.homarr.tls.certresolver: letsencrypt
      traefik.http.services.homarr.loadbalancer.server.port: 7575
      # SSO Protection (optional - dashboard may be public)
      # traefik.http.routers.homarr.middlewares: tinyauth
      # Homarr Labels for custom configuration
      homarr.name: Homarr Dashboard
      homarr.group: Infrastructure
      homarr.icon: /icons/homarr.png
 networks:
  homelab:
    external: true
--- a/compose/services/linkwarden/.env
+++ b/compose/services/linkwarden/.env
@ -1,473 +1,65 @@
-NEXTAUTH_URL=http://localhost:3000/api/v1/auth
+# Linkwarden Configuration
-NEXTAUTH_SECRET=
+# Docs: https://docs.linkwarden.app/self-hosting/environment-variables
-
+
-# Manual installation database settings
+# NextAuth Configuration
-# Example: DATABASE_URL=postgresql://user:password@localhost:5432/linkwarden
+NEXTAUTH_URL=https://links.fig.systems
-DATABASE_URL=
+# Generate with: openssl rand -hex 32
-
+# Example format: e4f5g6h789012abcdef345678901a2b3c4d5e6f78901abcdef2345678901abcde
-# Docker installation database settings
+NEXTAUTH_SECRET=changeme_please_set_random_secret_key
-POSTGRES_PASSWORD=
+
-
+# Database Configuration
-# Additional Optional Settings
+# Generate with: openssl rand -base64 32 | tr -d /=+ | cut -c1-32
-PAGINATION_TAKE_COUNT=
+# Example format: eF7gH0iI3jK5lM8nO1pQ4rS7tU0vW3xY
-STORAGE_FOLDER=
+POSTGRES_PASSWORD=changeme_please_set_secure_postgres_password
-AUTOSCROLL_TIMEOUT=
+POSTGRES_USER=postgres
-NEXT_PUBLIC_DISABLE_REGISTRATION=
+POSTGRES_DB=postgres
-NEXT_PUBLIC_CREDENTIALS_ENABLED=
+DATABASE_URL=postgresql://postgres:${POSTGRES_PASSWORD}@linkwarden-postgres:5432/postgres
-DISABLE_NEW_SSO_USERS=
+
-MAX_LINKS_PER_USER=
+# Meilisearch (search engine)
-ARCHIVE_TAKE_COUNT=
+# Generate with: openssl rand -hex 16
-BROWSER_TIMEOUT=
+# Example format: f6g7h8i901234abcdef567890a1b2c3d
-IGNORE_UNAUTHORIZED_CA=
+MEILI_MASTER_KEY=changeme_please_set_meili_master_key
-IGNORE_HTTPS_ERRORS=
+
-IGNORE_URL_SIZE_LIMIT=
+# Timezone
-NEXT_PUBLIC_DEMO=
+TZ=America/Los_Angeles
-NEXT_PUBLIC_DEMO_USERNAME=
+
-NEXT_PUBLIC_DEMO_PASSWORD=
+# Optional: Registration Control
-NEXT_PUBLIC_ADMIN=
+# NEXT_PUBLIC_DISABLE_REGISTRATION=true
-NEXT_PUBLIC_MAX_FILE_BUFFER=
+
-PDF_MAX_BUFFER=
+# Optional: Credentials Authentication
-SCREENSHOT_MAX_BUFFER=
+# NEXT_PUBLIC_CREDENTIALS_ENABLED=true
-READABILITY_MAX_BUFFER=
+
-PREVIEW_MAX_BUFFER=
+# Optional: Pagination
-MONOLITH_MAX_BUFFER=
+# PAGINATION_TAKE_COUNT=20
-MONOLITH_CUSTOM_OPTIONS=
+
-IMPORT_LIMIT=
+# Optional: Storage folder (for screenshots/PDFs)
-PLAYWRIGHT_LAUNCH_OPTIONS_EXECUTABLE_PATH=
+# STORAGE_FOLDER=data
-PLAYWRIGHT_WS_URL=
+
-MAX_WORKERS=
+# Optional: Limits
-DISABLE_PRESERVATION=
+# MAX_LINKS_PER_USER=unlimited
-NEXT_PUBLIC_RSS_POLLING_INTERVAL_MINUTES=
+# NEXT_PUBLIC_MAX_FILE_BUFFER=10485760  # 10MB in bytes
-RSS_SUBSCRIPTION_LIMIT_PER_USER=
+# PDF_MAX_BUFFER=10485760
-TEXT_CONTENT_LIMIT=
+# SCREENSHOT_MAX_BUFFER=10485760
-SEARCH_FILTER_LIMIT=
+
-INDEX_TAKE_COUNT=
+# Optional: Browser timeout for archiving (in milliseconds)
-MEILI_TIMEOUT=
+# BROWSER_TIMEOUT=30000
-
+# AUTOSCROLL_TIMEOUT=30
-# AI Settings
+
-NEXT_PUBLIC_OLLAMA_ENDPOINT_URL=
+# Optional: Archive settings
-OLLAMA_MODEL=
+# ARCHIVE_TAKE_COUNT=5
-
+
-# https://ai-sdk.dev/providers/openai-compatible-providers
+# Optional: Security
-OPENAI_API_KEY=
+# IGNORE_UNAUTHORIZED_CA=false
-OPENAI_MODEL=
+# IGNORE_HTTPS_ERRORS=false
-# Optional: Set a custom OpenAI base URL and name (for third-party providers)
+# IGNORE_URL_SIZE_LIMIT=false
-CUSTOM_OPENAI_BASE_URL=
+
-CUSTOM_OPENAI_NAME=
+# Optional: SSO Settings
-
+# DISABLE_NEW_SSO_USERS=false
-# https://sdk.vercel.ai/providers/ai-sdk-providers/azure
+
-AZURE_API_KEY=
+# Optional: Demo Mode
-AZURE_RESOURCE_NAME=
+# NEXT_PUBLIC_DEMO=false
-AZURE_MODEL=
+# NEXT_PUBLIC_DEMO_USERNAME=
-
+# NEXT_PUBLIC_DEMO_PASSWORD=
-# https://sdk.vercel.ai/providers/ai-sdk-providers/anthropic
+
-ANTHROPIC_API_KEY=
+# Optional: Admin Panel
-ANTHROPIC_MODEL=
+# NEXT_PUBLIC_ADMIN=false
 # https://github.com/OpenRouterTeam/ai-sdk-provider
 OPENROUTER_API_KEY=
 OPENROUTER_MODEL=
 # https://ai-sdk.dev/providers/ai-sdk-providers/perplexity
 PERPLEXITY_API_KEY=
 PERPLEXITY_MODEL=
 # MeiliSearch Settings
 MEILI_HOST=
 MEILI_MASTER_KEY=
 # AWS S3 Settings
 SPACES_KEY=
 SPACES_SECRET=
 SPACES_ENDPOINT=
 SPACES_BUCKET_NAME=
 SPACES_REGION=
 SPACES_FORCE_PATH_STYLE=
 # SMTP Settings
 NEXT_PUBLIC_EMAIL_PROVIDER=
 EMAIL_FROM=
 EMAIL_SERVER=
 BASE_URL=
 # Proxy settings
 PROXY=
 PROXY_USERNAME=
 PROXY_PASSWORD=
 PROXY_BYPASS=
 # PDF archive settings
 PDF_MARGIN_TOP=
 PDF_MARGIN_BOTTOM=
 #################
 # SSO Providers #
 #################
 # 42 School
 NEXT_PUBLIC_FORTYTWO_ENABLED=
 FORTYTWO_CUSTOM_NAME=
 FORTYTWO_CLIENT_ID=
 FORTYTWO_CLIENT_SECRET=
 # Apple
 NEXT_PUBLIC_APPLE_ENABLED=
 APPLE_CUSTOM_NAME=
 APPLE_ID=
 APPLE_SECRET=
 # Atlassian
 NEXT_PUBLIC_ATLASSIAN_ENABLED=
 ATLASSIAN_CUSTOM_NAME=
 ATLASSIAN_CLIENT_ID=
 ATLASSIAN_CLIENT_SECRET=
 ATLASSIAN_SCOPE=
 # Auth0
 NEXT_PUBLIC_AUTH0_ENABLED=
 AUTH0_CUSTOM_NAME=
 AUTH0_ISSUER=
 AUTH0_CLIENT_SECRET=
 AUTH0_CLIENT_ID=
 # Authelia
 NEXT_PUBLIC_AUTHELIA_ENABLED=""
 AUTHELIA_CLIENT_ID=""
 AUTHELIA_CLIENT_SECRET=""
 AUTHELIA_WELLKNOWN_URL=""
 # Authentik
 NEXT_PUBLIC_AUTHENTIK_ENABLED=
 AUTHENTIK_CUSTOM_NAME=
 AUTHENTIK_ISSUER=
 AUTHENTIK_CLIENT_ID=
 AUTHENTIK_CLIENT_SECRET=
 # Azure AD B2C
 NEXT_PUBLIC_AZURE_AD_B2C_ENABLED=
 AZURE_AD_B2C_TENANT_NAME=
 AZURE_AD_B2C_CLIENT_ID=
 AZURE_AD_B2C_CLIENT_SECRET=
 AZURE_AD_B2C_PRIMARY_USER_FLOW=
 # Azure AD
 NEXT_PUBLIC_AZURE_AD_ENABLED=
 AZURE_AD_CLIENT_ID=
 AZURE_AD_CLIENT_SECRET=
 AZURE_AD_TENANT_ID=
 # Battle.net
 NEXT_PUBLIC_BATTLENET_ENABLED=
 BATTLENET_CUSTOM_NAME=
 BATTLENET_CLIENT_ID=
 BATTLENET_CLIENT_SECRET=
 BATTLENET_ISSUER=
 # Box
 NEXT_PUBLIC_BOX_ENABLED=
 BOX_CUSTOM_NAME=
 BOX_CLIENT_ID=
 BOX_CLIENT_SECRET=
 # Bungie
 NEXT_PUBLIC_BUNGIE_ENABLED=
 BUNGIE_CUSTOM_NAME=
 BUNGIE_CLIENT_ID=
 BUNGIE_CLIENT_SECRET=
 BUNGIE_API_KEY=
 # Cognito
 NEXT_PUBLIC_COGNITO_ENABLED=
 COGNITO_CUSTOM_NAME=
 COGNITO_CLIENT_ID=
 COGNITO_CLIENT_SECRET=
 COGNITO_ISSUER=
 # Coinbase
 NEXT_PUBLIC_COINBASE_ENABLED=
 COINBASE_CUSTOM_NAME=
 COINBASE_CLIENT_ID=
 COINBASE_CLIENT_SECRET=
 # Discord
 NEXT_PUBLIC_DISCORD_ENABLED=
 DISCORD_CUSTOM_NAME=
 DISCORD_CLIENT_ID=
 DISCORD_CLIENT_SECRET=
 # Dropbox
 NEXT_PUBLIC_DROPBOX_ENABLED=
 DROPBOX_CUSTOM_NAME=
 DROPBOX_CLIENT_ID=
 DROPBOX_CLIENT_SECRET=
 # DuendeIndentityServer6
 NEXT_PUBLIC_DUENDE_IDS6_ENABLED=
 DUENDE_IDS6_CUSTOM_NAME=
 DUENDE_IDS6_CLIENT_ID=
 DUENDE_IDS6_CLIENT_SECRET=
 DUENDE_IDS6_ISSUER=
 # EVE Online
 NEXT_PUBLIC_EVEONLINE_ENABLED=
 EVEONLINE_CUSTOM_NAME=
 EVEONLINE_CLIENT_ID=
 EVEONLINE_CLIENT_SECRET=
 # Facebook
 NEXT_PUBLIC_FACEBOOK_ENABLED=
 FACEBOOK_CUSTOM_NAME=
 FACEBOOK_CLIENT_ID=
 FACEBOOK_CLIENT_SECRET=
 # FACEIT
 NEXT_PUBLIC_FACEIT_ENABLED=
 FACEIT_CUSTOM_NAME=
 FACEIT_CLIENT_ID=
 FACEIT_CLIENT_SECRET=
 # Foursquare
 NEXT_PUBLIC_FOURSQUARE_ENABLED=
 FOURSQUARE_CUSTOM_NAME=
 FOURSQUARE_CLIENT_ID=
 FOURSQUARE_CLIENT_SECRET=
 FOURSQUARE_APIVERSION=
 # Freshbooks
 NEXT_PUBLIC_FRESHBOOKS_ENABLED=
 FRESHBOOKS_CUSTOM_NAME=
 FRESHBOOKS_CLIENT_ID=
 FRESHBOOKS_CLIENT_SECRET=
 # FusionAuth
 NEXT_PUBLIC_FUSIONAUTH_ENABLED=
 FUSIONAUTH_CUSTOM_NAME=
 FUSIONAUTH_CLIENT_ID=
 FUSIONAUTH_CLIENT_SECRET=
 FUSIONAUTH_ISSUER=
 FUSIONAUTH_TENANT_ID=
 # GitHub
 NEXT_PUBLIC_GITHUB_ENABLED=
 GITHUB_CUSTOM_NAME=
 GITHUB_ID=
 GITHUB_SECRET=
 # GitLab
 NEXT_PUBLIC_GITLAB_ENABLED=
 GITLAB_CUSTOM_NAME=
 GITLAB_CLIENT_ID=
 GITLAB_CLIENT_SECRET=
 GITLAB_AUTH_URL=
 # Google
 NEXT_PUBLIC_GOOGLE_ENABLED=
 GOOGLE_CUSTOM_NAME=
 GOOGLE_CLIENT_ID=
 GOOGLE_CLIENT_SECRET=
 # HubSpot
 NEXT_PUBLIC_HUBSPOT_ENABLED=
 HUBSPOT_CUSTOM_NAME=
 HUBSPOT_CLIENT_ID=
 HUBSPOT_CLIENT_SECRET=
 # IdentityServer4
 NEXT_PUBLIC_IDS4_ENABLED=
 IDS4_CUSTOM_NAME=
 IDS4_CLIENT_ID=
 IDS4_CLIENT_SECRET=
 IDS4_ISSUER=
 # Kakao
 NEXT_PUBLIC_KAKAO_ENABLED=
 KAKAO_CUSTOM_NAME=
 KAKAO_CLIENT_ID=
 KAKAO_CLIENT_SECRET=
 # Keycloak
 NEXT_PUBLIC_KEYCLOAK_ENABLED=
 KEYCLOAK_CUSTOM_NAME=
 KEYCLOAK_ISSUER=
 KEYCLOAK_CLIENT_ID=
 KEYCLOAK_CLIENT_SECRET=
 # LINE
 NEXT_PUBLIC_LINE_ENABLED=
 LINE_CUSTOM_NAME=
 LINE_CLIENT_ID=
 LINE_CLIENT_SECRET=
 # LinkedIn
 NEXT_PUBLIC_LINKEDIN_ENABLED=
 LINKEDIN_CUSTOM_NAME=
 LINKEDIN_CLIENT_ID=
 LINKEDIN_CLIENT_SECRET=
 # Mailchimp
 NEXT_PUBLIC_MAILCHIMP_ENABLED=
 MAILCHIMP_CUSTOM_NAME=
 MAILCHIMP_CLIENT_ID=
 MAILCHIMP_CLIENT_SECRET=
 # Mail.ru
 NEXT_PUBLIC_MAILRU_ENABLED=
 MAILRU_CUSTOM_NAME=
 MAILRU_CLIENT_ID=
 MAILRU_CLIENT_SECRET=
 # Naver
 NEXT_PUBLIC_NAVER_ENABLED=
 NAVER_CUSTOM_NAME=
 NAVER_CLIENT_ID=
 NAVER_CLIENT_SECRET=
 # Netlify
 NEXT_PUBLIC_NETLIFY_ENABLED=
 NETLIFY_CUSTOM_NAME=
 NETLIFY_CLIENT_ID=
 NETLIFY_CLIENT_SECRET=
 # Okta
 NEXT_PUBLIC_OKTA_ENABLED=
 OKTA_CUSTOM_NAME=
 OKTA_CLIENT_ID=
 OKTA_CLIENT_SECRET=
 OKTA_ISSUER=
 # OneLogin
 NEXT_PUBLIC_ONELOGIN_ENABLED=
 ONELOGIN_CUSTOM_NAME=
 ONELOGIN_CLIENT_ID=
 ONELOGIN_CLIENT_SECRET=
 ONELOGIN_ISSUER=
 # Osso
 NEXT_PUBLIC_OSSO_ENABLED=
 OSSO_CUSTOM_NAME=
 OSSO_CLIENT_ID=
 OSSO_CLIENT_SECRET=
 OSSO_ISSUER=
 # osu!
 NEXT_PUBLIC_OSU_ENABLED=
 OSU_CUSTOM_NAME=
 OSU_CLIENT_ID=
 OSU_CLIENT_SECRET=
 # Patreon
 NEXT_PUBLIC_PATREON_ENABLED=
 PATREON_CUSTOM_NAME=
 PATREON_CLIENT_ID=
 PATREON_CLIENT_SECRET=
 # Pinterest
 NEXT_PUBLIC_PINTEREST_ENABLED=
 PINTEREST_CUSTOM_NAME=
 PINTEREST_CLIENT_ID=
 PINTEREST_CLIENT_SECRET=
 # Pipedrive
 NEXT_PUBLIC_PIPEDRIVE_ENABLED=
 PIPEDRIVE_CUSTOM_NAME=
 PIPEDRIVE_CLIENT_ID=
 PIPEDRIVE_CLIENT_SECRET=
 # Reddit
 NEXT_PUBLIC_REDDIT_ENABLED=
 REDDIT_CUSTOM_NAME=
 REDDIT_CLIENT_ID=
 REDDIT_CLIENT_SECRET=
 # Salesforce
 NEXT_PUBLIC_SALESFORCE_ENABLED=
 SALESFORCE_CUSTOM_NAME=
 SALESFORCE_CLIENT_ID=
 SALESFORCE_CLIENT_SECRET=
 # Slack
 NEXT_PUBLIC_SLACK_ENABLED=
 SLACK_CUSTOM_NAME=
 SLACK_CLIENT_ID=
 SLACK_CLIENT_SECRET=
 # Spotify
 NEXT_PUBLIC_SPOTIFY_ENABLED=
 SPOTIFY_CUSTOM_NAME=
 SPOTIFY_CLIENT_ID=
 SPOTIFY_CLIENT_SECRET=
 # Strava
 NEXT_PUBLIC_STRAVA_ENABLED=
 STRAVA_CUSTOM_NAME=
 STRAVA_CLIENT_ID=
 STRAVA_CLIENT_SECRET=
 # Synology
 NEXT_PUBLIC_SYNOLOGY_ENABLED=
 SYNOLOGY_CUSTOM_NAME=
 SYNOLOGY_CLIENT_ID=
 SYNOLOGY_CLIENT_SECRET=
 SYNOLOGY_WELLKNOWN_URL=
 # Todoist
 NEXT_PUBLIC_TODOIST_ENABLED=
 TODOIST_CUSTOM_NAME=
 TODOIST_CLIENT_ID=
 TODOIST_CLIENT_SECRET=
 # Twitch
 NEXT_PUBLIC_TWITCH_ENABLED=
 TWITCH_CUSTOM_NAME=
 TWITCH_CLIENT_ID=
 TWITCH_CLIENT_SECRET=
 # United Effects
 NEXT_PUBLIC_UNITED_EFFECTS_ENABLED=
 UNITED_EFFECTS_CUSTOM_NAME=
 UNITED_EFFECTS_CLIENT_ID=
 UNITED_EFFECTS_CLIENT_SECRET=
 UNITED_EFFECTS_ISSUER=
 # VK
 NEXT_PUBLIC_VK_ENABLED=
 VK_CUSTOM_NAME=
 VK_CLIENT_ID=
 VK_CLIENT_SECRET=
 # Wikimedia
 NEXT_PUBLIC_WIKIMEDIA_ENABLED=
 WIKIMEDIA_CUSTOM_NAME=
 WIKIMEDIA_CLIENT_ID=
 WIKIMEDIA_CLIENT_SECRET=
 # Wordpress.com
 NEXT_PUBLIC_WORDPRESS_ENABLED=
 WORDPRESS_CUSTOM_NAME=
 WORDPRESS_CLIENT_ID=
 WORDPRESS_CLIENT_SECRET=
 # Yandex
 NEXT_PUBLIC_YANDEX_ENABLED=
 YANDEX_CUSTOM_NAME=
 YANDEX_CLIENT_ID=
 YANDEX_CLIENT_SECRET=
 # Zitadel
 NEXT_PUBLIC_ZITADEL_ENABLED=
 ZITADEL_CUSTOM_NAME=
 ZITADEL_CLIENT_ID=
 ZITADEL_CLIENT_SECRET=
 ZITADEL_ISSUER=
 # Zoho
 NEXT_PUBLIC_ZOHO_ENABLED=
 ZOHO_CUSTOM_NAME=
 ZOHO_CLIENT_ID=
 ZOHO_CLIENT_SECRET=
 # Zoom
 NEXT_PUBLIC_ZOOM_ENABLED=
 ZOOM_CUSTOM_NAME=
 ZOOM_CLIENT_ID=
 ZOOM_CLIENT_SECRET=
--- a/compose/services/linkwarden/compose.yaml
+++ b/compose/services/linkwarden/compose.yaml
@ -6,9 +6,6 @@ services:
    container_name: linkwarden
    image: ghcr.io/linkwarden/linkwarden:latest
    env_file: .env
    environment:
      - DATABASE_URL=postgresql://postgres:${POSTGRES_PASSWORD}@linkwarden-postgres:5432/postgres
      - TZ=America/Los_Angeles
    volumes:
      - ./data:/data/data
    depends_on:
@ -31,8 +28,6 @@ services:
    container_name: linkwarden-postgres
    image: postgres:16-alpine
    env_file: .env
    environment:
      - TZ=America/Los_Angeles
    volumes:
      - ./pgdata:/var/lib/postgresql/data
    restart: always
@ -48,8 +43,6 @@ services:
    container_name: linkwarden-meilisearch
    image: getmeili/meilisearch:v1.12.8
    env_file: .env
    environment:
      - TZ=America/Los_Angeles
    volumes:
      - ./meili_data:/meili_data
    restart: always
--- a/compose/services/lubelogger/.env
+++ b/compose/services/lubelogger/.env
@ -0,0 +1,15 @@
 # LubeLogger Configuration
 # Timezone
 TZ=America/Los_Angeles
 # LC_ALL locale setting
 LC_ALL=en_US.UTF-8
 # LANG locale setting
 LANG=en_US.UTF-8
 # Enable OpenID (for SSO integration)
 # ENABLE_OPENID=true
 # OPENID_CLIENT_ID=your-client-id
 # OPENID_CLIENT_SECRET=your-client-secret
--- a/compose/services/lubelogger/compose.yaml
+++ b/compose/services/lubelogger/compose.yaml
@ -5,26 +5,7 @@ services:
  lubelogger:
    container_name: lubelogger
    image: ghcr.io/hargata/lubelogger:latest
    environment:
      - TZ=America/Los_Angeles
    volumes:
      - data:/App/data
      - keys:/root/.aspnet/DataProtection-Keys
    restart: unless-stopped
    networks:
      - homelab
    labels:
      traefik.enable: true
      traefik.http.routers.lubelogger.rule: Host(`garage.fig.systems`) || Host(`garage.edfig.dev`)
      traefik.http.routers.lubelogger.entrypoints: websecure
      traefik.http.routers.lubelogger.tls.certresolver: letsencrypt
      traefik.http.services.lubelogger.loadbalancer.server.port: 8080
      traefik.http.routers.lubelogger.middlewares: tinyauth
-networks:
+    env_file:
  homelab:
    external: true
-volumes:
+      - .env
  data:
  keys:
--- a/compose/services/microbin/compose.yaml
+++ b/compose/services/microbin/compose.yaml
@ -6,49 +6,6 @@ services:
    container_name: microbin
    image: danielszabo99/microbin:latest
    env_file: .env
    environment:
      MICROBIN_BASIC_AUTH_USERNAME: ${MICROBIN_BASIC_AUTH_USERNAME}
      MICROBIN_BASIC_AUTH_PASSWORD: ${MICROBIN_BASIC_AUTH_PASSWORD}
      MICROBIN_ADMIN_USERNAME: ${MICROBIN_ADMIN_USERNAME}
      MICROBIN_ADMIN_PASSWORD: ${MICROBIN_ADMIN_PASSWORD}
      MICROBIN_EDITABLE: ${MICROBIN_EDITABLE}
      MICROBIN_FOOTER_TEXT: ${MICROBIN_FOOTER_TEXT}
      MICROBIN_HIDE_FOOTER: ${MICROBIN_HIDE_FOOTER}
      MICROBIN_HIDE_HEADER: ${MICROBIN_HIDE_HEADER}
      MICROBIN_HIDE_LOGO: ${MICROBIN_HIDE_LOGO}
      MICROBIN_NO_LISTING: ${MICROBIN_NO_LISTING}
      MICROBIN_HIGHLIGHTSYNTAX: ${MICROBIN_HIGHLIGHTSYNTAX}
      MICROBIN_BIND: ${MICROBIN_BIND}
      MICROBIN_PRIVATE: ${MICROBIN_PRIVATE}
      MICROBIN_PURE_HTML: ${MICROBIN_PURE_HTML}
      MICROBIN_DATA_DIR: ${MICROBIN_DATA_DIR}
      MICROBIN_JSON_DB: ${MICROBIN_JSON_DB}
      MICROBIN_PUBLIC_PATH: ${MICROBIN_PUBLIC_PATH}
      MICROBIN_SHORT_PATH: ${MICROBIN_SHORT_PATH}
      MICROBIN_READONLY: ${MICROBIN_READONLY}
      MICROBIN_UPLOADER_PASSWORD: ${MICROBIN_UPLOADER_PASSWORD}
      MICROBIN_SHOW_READ_STATS: ${MICROBIN_SHOW_READ_STATS}
      MICROBIN_TITLE: ${MICROBIN_TITLE}
      MICROBIN_THREADS: ${MICROBIN_THREADS}
      MICROBIN_GC_DAYS: ${MICROBIN_GC_DAYS}
      MICROBIN_ENABLE_BURN_AFTER: ${MICROBIN_ENABLE_BURN_AFTER}
      MICROBIN_DEFAULT_BURN_AFTER: ${MICROBIN_DEFAULT_BURN_AFTER}
      MICROBIN_WIDE: ${MICROBIN_WIDE}
      MICROBIN_QR: ${MICROBIN_QR}
      MICROBIN_ETERNAL_PASTA: ${MICROBIN_ETERNAL_PASTA}
      MICROBIN_ENABLE_READONLY: ${MICROBIN_ENABLE_READONLY}
      MICROBIN_DEFAULT_EXPIRY: ${MICROBIN_DEFAULT_EXPIRY}
      MICROBIN_NO_FILE_UPLOAD: ${MICROBIN_NO_FILE_UPLOAD}
      MICROBIN_CUSTOM_CSS: ${MICROBIN_CUSTOM_CSS}
      MICROBIN_HASH_IDS: ${MICROBIN_HASH_IDS}
      MICROBIN_ENCRYPTION_CLIENT_SIDE: ${MICROBIN_ENCRYPTION_CLIENT_SIDE}
      MICROBIN_ENCRYPTION_SERVER_SIDE: ${MICROBIN_ENCRYPTION_SERVER_SIDE}
      MICROBIN_MAX_FILE_SIZE_ENCRYPTED_MB: ${MICROBIN_MAX_FILE_SIZE_ENCRYPTED_MB}
      MICROBIN_MAX_FILE_SIZE_UNENCRYPTED_MB: ${MICROBIN_MAX_FILE_SIZE_UNENCRYPTED_MB}
    volumes:
      - ./microbin-data:/app/microbin_data
    restart: always
    networks:
      - homelab
    labels:
      traefik.enable: true
--- a/compose/services/rsshub/.env
+++ b/compose/services/rsshub/.env
@ -0,0 +1,23 @@
 # RSSHub Configuration
 # Node environment
 NODE_ENV=production
 # Cache type (memory or redis)
 CACHE_TYPE=memory
 # Cache expiration time in seconds (default: 5 minutes)
 CACHE_EXPIRE=300
 # Timezone
 TZ=America/Los_Angeles
 # Optional: Redis configuration (if using redis cache)
 # CACHE_TYPE=redis
 # REDIS_URL=redis://redis:6379/
 # Optional: Access control
 # ACCESS_KEY=your_access_key_here
 # Optional: Logging
 # LOGGER_LEVEL=info  # debug, info, warn, error
--- a/compose/services/rsshub/compose.yaml
+++ b/compose/services/rsshub/compose.yaml
@ -6,71 +6,7 @@ services:
    container_name: rsshub
    # Using chromium-bundled image for full puppeteer support
    image: diygod/rsshub:chromium-bundled
    environment:
      NODE_ENV: production
      CACHE_TYPE: redis
      REDIS_URL: redis://rsshub-redis:6379/
      PUPPETEER_WS_ENDPOINT: ws://rsshub-browserless:3000
      TZ: America/Los_Angeles
    restart: always
    networks:
      - homelab
      - rsshub_internal
    depends_on:
      - rsshub-redis
      - rsshub-browserless
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:1200/healthz"]
      interval: 30s
      timeout: 10s
      retries: 3
    labels:
      traefik.enable: true
      traefik.docker.network: homelab
      traefik.http.routers.rsshub.rule: Host(`rsshub.fig.systems`) || Host(`rsshub.edfig.dev`)
      traefik.http.routers.rsshub.entrypoints: websecure
      traefik.http.routers.rsshub.tls.certresolver: letsencrypt
      traefik.http.services.rsshub.loadbalancer.server.port: 1200
      # Optional: enable SSO (may interfere with RSS readers)
      # traefik.http.routers.rsshub.middlewares: tinyauth
-  rsshub-browserless:
+    env_file:
    container_name: rsshub-browserless
    image: browserless/chrome
    restart: always
    networks:
      - rsshub_internal
    ulimits:
      core:
        hard: 0
        soft: 0
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:3000/pressure"]
      interval: 30s
      timeout: 10s
      retries: 3
-  rsshub-redis:
+      - .env
    container_name: rsshub-redis
    image: redis:alpine
    restart: always
    networks:
      - rsshub_internal
    volumes:
      - redis-data:/data
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 30s
      timeout: 10s
      retries: 5
      start_period: 5s
 networks:
  homelab:
    external: true
  rsshub_internal:
    name: rsshub_internal
    driver: bridge
 volumes:
  redis-data:
--- a/compose/services/vikunja/.env
+++ b/compose/services/vikunja/.env
@ -0,0 +1,28 @@
 # Vikunja Configuration
 # Public URL
 VIKUNJA_SERVICE_PUBLICURL=https://tasks.fig.systems
 # Database Configuration
 VIKUNJA_DATABASE_HOST=vikunja-db
 VIKUNJA_DATABASE_TYPE=postgres
 VIKUNJA_DATABASE_USER=vikunja
 VIKUNJA_DATABASE_DATABASE=vikunja
 # Generate with: openssl rand -base64 32 | tr -d /=+ | cut -c1-32
 # Example format: cD5eF8gH1jK3lM6nO9pQ2rS5tU8vW1xY
 VIKUNJA_DATABASE_PASSWORD=changeme_please_set_secure_password
 # JWT Secret for session management (64+ character random string)
 # Generate with: openssl rand -hex 32
 # Example format: c2d3e4f567890abcdef1234567890a1b2c3d4e5f67890abcdef1234567890abc
 VIKUNJA_SERVICE_JWTSECRET=changeme_please_set_random_jwt_secret
 # Timezone
 TZ=America/Los_Angeles
 # Database environment variables (for postgres container)
 POSTGRES_USER=vikunja
 POSTGRES_DB=vikunja
 # Must match VIKUNJA_DATABASE_PASSWORD above
 # Example format: cD5eF8gH1jK3lM6nO9pQ2rS5tU8vW1xY
 POSTGRES_PASSWORD=changeme_please_set_secure_password
--- a/compose/services/vikunja/compose.yaml
+++ b/compose/services/vikunja/compose.yaml
@ -5,15 +5,8 @@ services:
  vikunja:
    container_name: vikunja
    image: vikunja/vikunja:latest
-    environment:
+    env_file:
-      VIKUNJA_SERVICE_PUBLICURL: https://tasks.fig.systems
+      - .env
      VIKUNJA_DATABASE_HOST: vikunja-db
      VIKUNJA_DATABASE_PASSWORD: changeme_please_set_secure_password
      VIKUNJA_DATABASE_TYPE: postgres
      VIKUNJA_DATABASE_USER: vikunja
      VIKUNJA_DATABASE_DATABASE: vikunja
      VIKUNJA_SERVICE_JWTSECRET: changeme_please_set_random_jwt_secret
      TZ: America/Los_Angeles
    volumes:
      - ./files:/app/vikunja/files
    depends_on:
@ -35,11 +28,8 @@ services:
  vikunja-db:
    container_name: vikunja-db
    image: postgres:18
-    environment:
+    env_file:
-      POSTGRES_PASSWORD: changeme_please_set_secure_password
+      - .env
      POSTGRES_USER: vikunja
      POSTGRES_DB: vikunja
      TZ: America/Los_Angeles
    volumes:
      - ./db:/var/lib/postgresql/data
    restart: unless-stopped